Re: [sr #110155] Can not "git fetch upstream" public repos

[Bob Proulx]

Hello Simon,

zimoun wrote:
> Bob Proulx wrote:
> > zimoun wrote:
> > > It works when cloning anonymously. I do not know yet when member
> > > because my account is probably still too fresh.
> >
> > Member access for commit is always through ssh.  That's how we
> > authenticate and authorized users.
> 
> I am lost. How can I get the member access for pulling through ssh?

Unfortunately the simple answer is that it is not completely
simple. :-(

> I mean, I have an fresh account (since a couple of days) and I did
> ssh-keygen and uploaded my public. Well, I have waited a couple of
> hours (all the european night :-)) -- time for propagating as the doc
> explains -- but it does still not work. What am I doing wrong?

In order to use ssh member access you must be a member of a project.
Any project.  At this time I see your user page says this:

  http://savannah.gnu.org/users/zimoun
  This user is not a member of any Group

Since you are not a member of any group there is no ssh access.

But something else of which I am sure you are not aware is that there
aren't any bug reports submitted or any other item associated from
that account either.  It's simply a newly created user account.  At
the moment it is an "Idle" account.  Unfortunately we have had
thousands of accounts created as an abuse.  Spammers will post spam
links in their profile.  And other things.

As an anti-abuse action (relatively recently implemented) if a new
account is created but then does nothing with any of the projects then
it will be automatically deleted.  A warning message is emailed to the
user before this action.

At this time your account is not in a useful state.  It isn't doing
anything.  It isn't a member of any project.  It can't use ssh access
due to not being a member of any project.  It has not submitted any
bug reports.  It has not had any bug reports assigned to it.

This is mentioned here:

  http://savannah.gnu.org/maintenance/UsingGit/
  Note that the ssh transport requires an active Savannah account and
  you must be a member of at least one project group in order for your
  account to be enabled.

This policy has documentation on it here:

  http://savannah.gnu.org/maintenance/IdleAccounts/

There are several things one might do if they want to have their
account persist.  One very simple thing is that they can do is to
comment upon a bug ticket.  At that point their account is no longer
considered Idle because there is activity from it.  One can also
submit a bug ticket.  It would be enough to submit a bug ticket to the
Savannah administration account as a placeholder.  We would see it
here and know what it is for.  Then as well it would not be Idle
anymore.  Note that a ticket closed is still counted as account
activity.

Best would be if one were to contribute to one of the many hosted
projects.  Then the account would be a member of that group.  Then the
account would also have ssh commit access.

> --8<---------------cut here---------------start------------->8---
> git clone ssh://address@hidden:/srv/git/guix/guix-artwork.git
> Cloning into 'guix-artwork'...
> ssh: connect to host git.savannah.gnu.org port 22: Network is unreachable
> fatal: Could not read from remote repository.

That is a network error and nothing related to idle accounts nor
related to member ssh access.  It is simply a network error.  "Network
is unreachable" says that there was a failure in the network
connection between you and the server.  That is almost certainly
caused by the ongoing network abuse attack that is happening now that
is/was overstressing the system at that moment.  It will (hopefully)
be a transient, temporary at most, error.

It might be due to a firewall blocking ssh port 22 access.  If the ssh
port 22 is blocked then it will also appear as the above error due to
the network being unreachable.

It may also be caused by incorrect ssh configuration on the client
side too.

> Please make sure you have the correct access rights
> and the repository exists

That part of the message is from the git client on your system.

> --8<---------------cut here---------------end--------------->8---
> 
> I have tried 'ssh -vvv address@hidden' and my keys are
> apparently well found but the permissions are not set as I expect.

Very good debugging on the above!  That is a good way to verify ssh keys.

> Other said, is it possible to clone/pull (read-only) through ssh
> without write-access? Or is it possible to be member without
> write-access to any group? I have read the doc and I am not sure to
> understand.

Not currently.  As far as I know this is simply the way it has always
been done.

> > Anonymous access through https should be working, when it isn't
> > "browned out" by a DDoS.
> 
> It works for my few tests. Hope that the DDoS is over.

It is still continuing as of this moment.  But we are limping along
better now with some other improvements.  Hopefully the bad agents
will get bored soon and move on.  They will need their resources to
bully another site.

Bob